From 3a8a82d385daf325341fb350075d2604b4814385 Mon Sep 17 00:00:00 2001 From: kaboissonneault Date: Wed, 4 Oct 2023 09:18:02 -0400 Subject: [PATCH 1/2] Fixed out-of-bounds access in GetFactoryMonFixedIV when generating player rentals in round 8 (if player has 15+ swaps) and in round 9 --- src/battle_factory.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/src/battle_factory.c b/src/battle_factory.c index 5905b41917..46d34efd7d 100644 --- a/src/battle_factory.c +++ b/src/battle_factory.c @@ -741,7 +741,14 @@ u8 GetFactoryMonFixedIV(u8 challengeNum, bool8 isLastBattle) u8 ivSet; bool8 useHigherIV = isLastBattle ? TRUE : FALSE; +// The Factory has an out-of-bounds access when generating the rental draft for round 9 (challengeNum==8), +// or the "elevated" rentals from round 8 (challengeNum+1==8) +// This happens to land on a number higher than 31, which is interpreted as "random IVs" +#ifdef BUGFIX + if (challengeNum > 7) +#else if (challengeNum > 8) +#endif ivSet = 7; else ivSet = challengeNum; From 0a183c2027649e0042e066b0890f68088d1e0546 Mon Sep 17 00:00:00 2001 From: kaboissonneault Date: Thu, 5 Oct 2023 08:26:34 -0400 Subject: [PATCH 2/2] Changed sFixedIVTable access from hardcoded index limits to ARRAY_COUNT --- src/battle_factory.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/battle_factory.c b/src/battle_factory.c index 46d34efd7d..3606d88e6a 100644 --- a/src/battle_factory.c +++ b/src/battle_factory.c @@ -745,11 +745,11 @@ u8 GetFactoryMonFixedIV(u8 challengeNum, bool8 isLastBattle) // or the "elevated" rentals from round 8 (challengeNum+1==8) // This happens to land on a number higher than 31, which is interpreted as "random IVs" #ifdef BUGFIX - if (challengeNum > 7) + if (challengeNum >= ARRAY_COUNT(sFixedIVTable)) #else - if (challengeNum > 8) + if (challengeNum > ARRAY_COUNT(sFixedIVTable)) #endif - ivSet = 7; + ivSet = ARRAY_COUNT(sFixedIVTable) - 1; else ivSet = challengeNum;